Skip to main content

Steam Invites and TF2 community servers may have been used to hijack PCs, hack hunters claim

The TF2 spy looks shocked!
(Image credit: Valve)

An exploit in Source Engine games like Team Fortress 2 and Counter-Strike: Global Offensive may have let hackers remotely access players' PCs for years, a non-profit reverse-engineering group revealed this weekend.

In a series of tweets, Secret Club revealed that all Source games share a remote code execution flaw that can be triggered via Steam invites or community servers. In an email to RPS, Secret Club explained that this exploit gave the attacker "full control over the victim's system, which can be used to steal passwords, banking information, and more".

Most damning of all is that this exploit is allegedly still active—and despite discovering one instance two years ago, Secret Club claims Valve is trying to prevent it from sharing the knowledge publicly.

See more

Other, similar instances of the exploit (such as this CS:GO are more recent. But months after reporting the issue to Valve, Secret Club members report the studio has yet to even acknowledge the issue.

See more

Fears of a Source Engine security breach were raised last April, when leaked source code for TF2 and CS:GO revealed potential remote code execution exploits. At the time, Valve explained that the leaks were in fact "limited" builds from 2017-18, and posed no danger to players.

"From this review, we have not found any reason for players to be alarmed or avoid the current builds (as always, playing on the official servers is recommended for greatest security)," Valve said in a statement to PC Gamer at the time. "We will continue to investigate the situation and will update news outlets and players if we find anything to prove otherwise."

We've contacted Valve for comment on these latest exploits.

A one-time dog sledder, pancake flipper, alien wrangler and indie darling, Nat now scours the internet looking for the hottest PC gaming news. Destined to become Scotland's first Battlemech pilot.